[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: Saving of passwords (Was: Security status)
From:       Andreas Gungl <Andreas.Gungl () osp-dd ! de>
Date:       2000-02-07 14:11:03
[Download RAW message or body]

Stefan Taferner schrieb:
> 
> On Mon, 07 Feb 2000, Waldo Bastian wrote:
> > On Mon, 07 Feb 2000, George Staikos wrote:
> [...]
> > By pulling sensitive data out of the config file and into a seperate
> > file it is easier to give this file the right permissions.
> 
> Maybe we should suggest to have a directory
> ~/.kde/secure  ?
> 
> I think there are other files also that should not be world readable.
> 
> > > > > We're just adding
> > > > > more security through obscurity, really.
> > > >
> > > > Scrambling the password to make it "non-plaintext" falls in the
> > > > category "security through obscurrity". Ensuring correct
> > > > file-permissions on sensitive data is a sane way to build a secure
> > > > system.
> > >
> > >    Correct and this should be on the homedirectory and the .kde
> > > directory.
> >
> > Bullshit. Not everything in my home / .kde directory needs to be
> > inaccesible just because a mail-program is too lazy to set correct
> > file-permissions.
> 
> Did you discuss these things with others too?
> 
> There is a kcontrol module that sets things for email sending and
> receiving. This is the first place where something shall be fixed.
> 
> Besides that I agree with what others said: if somebody does a
> chmod -R a+r ~/.kde  then *all* the files will be readable. Your
> suggestion with the separate file does not change anything.
> 
> The best way IMO is to use a real two way encryption algorithm
> for the password file. Does anybody know a good and free one
> that can be distributed all over the world?

I can't see an advantage in this. To work with that new encryption
algorithm you would need another password/phrase. Where do you want to
store this one? On disk? ;-)
(Oh. Please recognize the smiley.)
 
> --Stefan

Actually I don't have a better solution. I'ld prefer a special file and
a hint for all users on top of the documentation, better not to store
the password on disk.

Andreas

[prev in list] [next in list] [prev in thread] [next in thread]